Monday, March 11, 2013

ViolatorWare Software

This article talks about a Chrome extension that has "turned evil". This is a strategy that I have been thinking about for some time. I think its probably only the tip of the iceberg for this one being found out.

This highlights the weakness in reputation based systems with incomplete review mechanisms. This extension, like so many other products that have evolved from good to bad start out as a useful tool, then either cease to be useful or outright implement "features" that the user neither expected nor finds beneficial to them.

The big problem is always that the ecconomic model for "free" software puts pressure on the developer to pour in their time and energy while indirectly seeking some return. (commonly called "monitorisation"... or "selling out") In the grand scheme of things this is the tragedy of all great "free" software... eventually it becomes too expensive to remain "free".

Even the great FOS systems have all evolved mechanims to fund their existance. Donantions, "Support", sponsors, selling swag, advertising, crowdfunding... etc. None are truly "free".

So whats my point today?

The point is that there will be pressure from the dark side of monitorization to take advantage of market position and trust to modify the software to do "other" things. This is kind of a trojan horse strategy... but its really more like a "betrayal of trust" strategy. I like the term "ViolatorWare". lol.

The point I made earlier about the tip of the iceberg needs to be expanded. If you think about a popular extension for a browser with an installed base of some 500,000 that has a reasonable upgrade cycle. In the event that it was possible to insert a backdoor into the package and have it go undetected for some period of time (assume a competent designer with a high level of sophistication) it should be possible to deploy that exploit to a large number of the users before the flag went up.

This makes these kind of extensions a really attractive mechanims to deploy all manner of malware, crimeware and spyware. With the ubiquity of browsers.... there are virtually no places on the networked planet that are not vulnerable to that kind of attack. It would be a really effective way to generate a massive botnet in the wrong hands. However, it would only work for a little while. Who ever abused this kind of system would probably need to use the system simply to bootstrap a more effective system, such as we have seen with some of the very high level espionage systems recently. Use the ViolatorWare to open a tiny, onetime backdoor that would probably not be noticed. Use that to insert a tiny custom backdoor which then piggybacked on some other communication channel to "phone home" to a command and control system. (The use of twitter is still a bit novel... but you get the idea) basically hide the handshake in some other traffic.
This then allows the exploit to upgrade itself if needed.

Anyway, this kind of sophisticated attack is probably still out of the hands of most of the crimeware and malware writers. I would expect to see it become very popular for espionage type attacks as the diversity of extensions and the frequency of updates to them makes it a very "noisy" system that is hard to police, hard to review and hard to notify users when something goes bad.

The perfect target of course is extensions with the "highest" trust and the most complexity. Things like security tools. I have been expecting some of these to publicly go bad for a few years. Either through it being revealed that one of the crime gangs have been producing them right from the start or the whole project has been purchased/highjacked/forked and is now just a front for malware delivery. This is also going to be a problem for "abandonware" extensions, where someone can "take over" the project and update it using the existing trust model.

The example that comes to mind is the hijack of Sharaza, the filesharing client. This is tangled up in the media industry funded attacks on the P2P file sharing networks so the politics are quite nasty. The point being that the hijack certainly occured of both the webdomain and the name with a different software product being delivered via the channel which masquraded as the old client and relied on the trust relationship to fool users into installing it. While that campaign was a straight forward attempt to disrupt and sabotage the file sharing activities using a popular client rather than a determined effort to deliver a malware/crimeware package, I feel that its a forerunner of the ViolatorWare strategy just applied for a different end. In that case it was much more explicity about violating the trust of the user base to drive them away from the product rather than depending on that trust to exploit an on-going relationship.

Anyway, my prediction is that we will see more low level violationware show up with clumsy attempts to add a little monitorisation to otherwise popular extensions. The form this monitorisation takes will be all the usual suspects, advertising in all its forms, data harvesting, criminal penetration via backdoors, botneting etc. The extent of the abuse of this vector for espionage work will probably not be known for some time, but if I was an anti-virus company, I would start building libraries of all the versions of these extensions that appear so that later on we can re-construct how this kind of incremental violation occured.

Lets just take a moment to look at the platform implications. Since extensions (at least to browsers) are supposed to run in a sandbox model of some type.. how can violationware do much damage? Firstly, breaking out of a sandbox is a proven hobby for malware writers. So, the potential will always be there. Second, even within the sandbox, the extension can do quite a lot. Its a programming model, its not hard to build a whole email server or web server in a small amount of code and embed it into a script. It doesn't need to be powerful or general purpose, it just needs to acheive the programmers ends. Assume that espionage systems would be able to break out of the sandbox and there is not a whole lot that is not possible once the code is on the target computer. The point is simply that this type of attack is a different way to "socially engineer" the user to install and more importantly update the package by abusing a trust relationship.